Welcome to Cybersecurity for In-House Lawyers
Once cybersecurity was a very technical field. Cybersecurity dealt with code, malware, controlling access to systems and data, and network protocols. It was mostly a concern for information technology (IT) departments. In the last decade, cybersecurity has become everyone’s problem. This is because of the Internet.
In-house lawyers are now involved with virtually every cybersecurity issue. So much business is online, and what is online is a target for threat actors. In this article, you’ll learn about the business of cybersecurity, key technical concepts, and the law so you can get a sense of potential threats and risks and know how to stay on the safe side as an in-house lawyer.
What is Cybersecurity
Cybersecurity is the art of protecting computers and data from unauthorized access and use. According to the United States Cybersecurity and Infrastructure Security Agency, CISA, cybersecurity protects the confidentiality, integrity, and availability (CIA) of data. Another goal is to prevent unauthorized use of, control of, and damage to computer systems.
The National Institute of Science & Technology (NIST) cybersecurity framework is used by the US Government and many other organizations. It is a good foundation. NIST divides cybersecurity into five core functions:
Figure 1.1 NIST Cybersecurity Framework.
- Identify: understand the risk to systems, people, assets, data, and capabilities.
- Protect: implement safeguards to ensure delivery of critical services.
- Detect: identify cybersecurity events.
- Respond: act against detected cybersecurity incidents.
- Recover: maintain plans for resilience and restore any capabilities or services that were impaired due to a cybersecurity incident.
This framework, which goes into much greater depth than I’ve presented here, is a useful way to conceptualize cybersecurity issues. Cybersecurity can often feel untethered and hyper-technical, so frameworks are helpful.
However, while useful, compliance is not security. Compliance asks the wrong question: “Are we meeting a standard?” Instead, security asks, “what are my threats & vulnerabilities, and what can I do about them?”. Cybersecurity is a global game of action and reaction with threat actors. Cybersecurity evolves daily!
There are a host of legal issues too! In-house attorneys should be involved in many aspects of cybersecurity:
- Governance. Establishing the board and executive management structures and processes for directing cybersecurity efforts in the organization (internal security management systems).
- Compliance. Collecting, interpreting, and implementing the various cybersecurity-related regulations and laws from around the world.
- 3rd Party Issues. Ensuring third-party relationships address cybersecurity risks. This includes adding cybersecurity requirements to contracts and supporting monitoring and audits of suppliers to ensure they are meeting their cybersecurity obligations.
- Risk Management. Working with business units and cybersecurity teams to identify and manage cybersecurity risks in operations.
- Incident Management. When a cybersecurity incident happens, working with the board, executives, insurance companies, third-party incident response teams, and the business unit to legally and effectively manage the incident, restore operations, preserve evidence and address corporate liability issues.
Understanding the Threats and Risks
Today, the umbrella term for people intentionally doing bad things using computers is cyber “threat actors.” They include skilled criminals, criminal groups, countries, activists, script kiddies, trolls, and bored people. Threat actors have been motivated to attack companies for various reasons, including: to steal valuable information; to disrupt operations; to demonstrate that they can; and to make a political statement. Many times motives are mixed.
Threat actors may be very targeted or may spray attacks across the internet seeking to get lucky when some poor person clicks a link. They may use commonly available tools, craft their own tools, or employ hacking services (i.e., malware-as-a-service; ransomware-as-a-service). Tools are always evolving, particularly in response to advances in security tools.
Threat actors generally must take certain steps to execute a cyber attack. These steps are outlined in the Cyber Kill ChainⓇ. To conduct an attack, generally following the steps in the kill chain, actors use specific tactics, techniques, and procedures (TTPs). The MITRE corporate provides the commonly used MITRE ATT&CK framework for categorizing and understanding TTPs. TTPs range from complicated to incredibly simple. You can learn quite a bit from previous cybersecurity attacks:
- 7 of the biggest hacks in history | CNN Business
- Colonial Pipeline Cyberattack Highlights Need for Better Federal and Private-Sector Preparedness (infographic) | U.S. GAO
- Fox Kitten Campaign: Widespread Iranian Espionage-Offensive Campaign
- Massive Security Breach At Sony — Here’s What You Need To Know (forbes.com)
The deeper you go into the attacks, the more you should start to connect what you do as a lawyer with the ability of an attacker to exploit your systems.
A major aspect of cyber attacks can be surprisingly low-tech reconnaissance. A lot of the research done by skilled “threat actors” tends to start with old-fashion sleuthing. They want to understand their target and its vulnerabilities. They will collect information about your company; the employees; your business partners, customers and vendors; and your technology. They may use social engineering to elicit “innocuous information” from employees, use Open Source Intelligence (OSINT) tools, buy information from “dark web” sites, scan and map your network, dumpster dive to get information and identify the security tools your company uses.
To help secure systems, defenders continuously work to identify and address vulnerabilities in systems. Technology companies report vulnerabilities and exploits in several shared places, including the Common Vulnerabilities and Exposures (CVE) Program run by MITRE, the Exploit Database run by Offensive Security and the National Vulnerabilities Database. Even Microsoft publishes CVE reports and works to address the vulnerabilities it discovers.
How companies manage the risks and threats
Cybersecurity is ultimately a risk-management field. Companies have several options for managing risks: avoid, transfer, mitigate, or accept. Cybersecurity does all four. Firms can decide not to place certain information onto networks connected to the internet, avoiding the risk of it being hacked via the internet. Firms can purchase cyber insurance or transfer risk to vendors or customers via contracts. Much of cybersecurity is about mitigating the risks. Finally, firms must accept some risk if they want to continue to use the internet (and really use any computers).
Cybersecurity practitioners use passive and active measures to mitigate the risk of a cyber incident and protect computer systems. The foundation and most passive defense is good System Architecture. Without it, it doesn’t matter how many tools you deploy — you will still be vulnerable. Most large organizations have very complex IT architecture, which creates many challenges. It is even more challenging when you realize that your systems are often integrated with third-party systems. Quickly it can feel a bit overwhelming.
On top of architecture, Passive Defenses, like anti-virus or multi-factor authentication, are added to protect systems. In addition to tools to make it harder to attack your system, Active Defenses include monitoring to detect incidents for intervention by humans and machines. These security tools, commonly called Security Incident and Event Management (SIEM), aggregate information from your endpoint (laptop, phone, etc.) servers and network devices. When something happens, these systems can kick off automated responses, like running to court and filing a Temporary Restraining Order (TRO).
These processes reduce harm but generally don’t eliminate it. Extending beyond our systems, Cyber Threat Intelligence (CTI) collects information about threat actors and their abilities. CTI can be in standard (i.e., STIX, TAXII) or non-standard data structures and file formats (i.e., JSON, XML). CTI should be relevant and usable. To be relevant it needs to be applicable to your organization, accurate, and timely. To be usable it needs to be machine-readable, consumable by your business processes, and actionable.
Finally, Offense cybersecurity includes legal countermeasures and self-defense outside your company’s systems. This may include legal action to stop a threat actor, working with law enforcement, and offensive cyber actions. At each level, attorneys have a role.
Where Cybersecurity and Law Meet?
Large companies employ specialized teams to manage cybersecurity. In small and medium-sized businesses (SMBs), it is not unusual for the IT staff to manage cybersecurity. It is also common for SMBs to engage Managed Security Service Provide (MSSP) for cybersecurity. In all cases, these teams should be engaging with the law department. They need lawyers who embrace the unique qualities of cyber. Lawyers need to get smart on the issues and technology; and be comfortable with the operational nature of cybersecurity.
Traditional legal support to cybersecurity includes advising, contracting, interpreting laws and regulations, drafting policies, and investigating breaches and policy violations. Cyber is unique, and cyber risks and issues need to be spotted hidden in contracts and policies by lawyers. With practice, attorney will begin to identify cybersecurity issues hidden in non-cyber-related activities (i.e., data sharing and storage; collection and storage of data by various teams; network access by contractors). How can you negotiate a contract for a new DLP tool if you don’t know what DLP is, what it does, and what the goal of deploying it is?
Lawyers should support the company in establishing and operate a governance structure for cybersecurity. The cybersecurity governing person or body should receive legal counsel because many cyber issues have privacy, regulatory, and contractual implications. Ensuring that the cybersecurity governing body addresses all these issues, documents decisions, and is responsive to changes in the legal environment is a key role for in-house cybersecurity lawyers.
For example, the SEC recently announced new cybersecurity risk management, strategy, governance, and incident disclosure requirements. Lawyers will need to advise their internal clients on how to comply with these new regulations. Additionally, a major governance issue is how organizations share cybersecurity information. Reporting software vulnerabilities to the shared CVE databases and technology companies can make everyone safer. However, there are legal issues when sharing this type of information, so lawyers need to be involved in developing these policies.
A major cybersecurity issue for large firms is risk introduced to the organization through the supply chain. Every firm uses third-party hardware and software and transmits sensitive data to its suppliers. Using computers to store, process, and transmit information involves risks. It can’t be avoided entirely, so most of this risk is either transferred or mitigated. In many cases, firms use contract terms and audits to mitigate the risks inherent in using 3rd party technology. They may transfer the risk of a breach to the vendor or compel the vendor to meet cybersecurity standards that mitigate the risk of a breach.
When developing contract templates and negotiating contracts for Software as a Service (SaaS) or Platforms as a Service (PaaS), it is important that attorneys work with cybersecurity to ensure the contract includes cybersecurity obligations. Key obligations include proper storage and transmission of data, limiting access to data, patching of systems, meeting industry standards (i.e., Fedramp, ISO, NIST), and reporting incidents. Many firms have discovered that vendor contracts often leave large gaps in their ability to monitor and secure their systems and data. While lawyers need not be the expert on these issues, they should be able to spot them.
A major role for cybersecurity lawyers is handling Cyber Incidents. This will be even more important once the SEC’s new rule goes into effect, requiring publicly traded companies to report material cybersecurity incidents within four days. The management of a major cybersecurity incident typically involves the close cooperation of executive leaders, including the general counsel. The attorney often works to preserve evidence, meet the firm’s legal obligations, provide confidential legal advice to the corporate officers, and engage with outside entities to manage the incident (i.e., outside counsel, insurance companies, law enforcement).
Cybersecurity lawyers should have a checklist or playbook for how they will initially respond to a cybersecurity incident. In the first hours and days of an incident, checklists and playbooks increase the speed and effectiveness of the response. A company should periodically practice its response to a cyber incident to be ready. Checklists and playbooks are available from many vendors, including the ABA. CISA provides a playbook for federal agency cyber incident response that is a good starting point.
Cybersecurity Legal Compliance
There are numerous and growing cybersecurity laws in the world. Generally, these laws impose three types of requirements: (1) data privacy; (2) cybersecurity; and (3) reporting.
- Data Privacy
Privacy laws tend to require companies to process, store and share information within certain limits. As almost all lawyers know, within the European Union, the General Data Protection Regulation (GDPR) puts limits on how companies collect, store, and share information. GDPR has rippled around the world, and many other countries have enacted similar data privacy laws, including:
- Canadian Personal Information Protection and Electronic Documents Act (PIPEDA)
- Brazilian General Data Protection Law (Lei Geral de Proteção de Dados Pessoais (LGPD))
- Chinese Personal Information Protection Law (PIPL) (中华人民共和国个人信息保护法)
Within the United States, that are numerous laws affecting data privacy including:
- The Health Insurance Portability and Accountability (HIPAA) Act
- Gramm–Leach–Bliley Act (GLBA)
- Children’s Online Privacy Protection Act (COPPA)
Several states add further legal protections, including:
- The California Consumer Privacy Act (CCPA)
- The California Privacy Rights Act (CPRA)
- The Virginia Consumer Data Protection Act
- The Colorado Privacy Act (CPA)
Most corporate IT is complex, and data is collected, stored and shared in many different ways and locations. It is important that corporate counsel be actively involved in discussions with business units that collect, store and process information. They should also be actively looking for previously unknown activities where data is being collected, stored, and processed.
Governments around the world have passed laws and regulations that require businesses, particularly businesses in critical sectors, to meet and demonstrate minimum cybersecurity requirements. These laws may require the establishment of cybersecurity policies, governing structures, data classification, security practices, technical support and monitoring. These laws require greater cooperation within companies between lawyers, business units, cybersecurity, IT, and executives. In heavily regulated companies, lawyers will increasingly be involved in demonstrating compliance with cybersecurity regulations and the inevitable back and forth with regulators to understand and negotiate issues within national security law.
- Incident Reporting
Many countries require companies to report data breaches and cybersecurity incidents. In the United States, the SEC’s new regulation for publicly traded companies will require reporting of “material cybersecurity incidents.” In Canada, the Personal Information Protection and Electronic Documents Act, requires “an organization [to] report to the Commissioner any breach of security safeguards involving personal information under its control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual.”
What Is Legal Analytics? Legal analytics is the application of data science to the business and practice of law. It is an umbrella...
Cybersecurity evolves quickly and is full of jargon. This jargon can vary from team to team or company to company. Cybersecurity law and policy can be a daunting field to enter because of its highly technical nature, endless jargon, rapid evolution, and adversarial nature. As a lawyer, you bring badly-needed special skills — your ability to identify root issues, break complex problems into pieces, exclude irrelevant information, use questions to pull out critical information and communicate clearly. Strong cybersecurity lawyers are and will continue to be important members of the cybersecurity team.